Twitter moves to mitigate abuse

Twitter recently announced that taking action to mitigate spam and abuse of its service:

A couple weeks ago, Biz explained how Twitter users were being victimized by phishing scams spread primarily through links in Direct Messages. Basically, people click the link and bad things happen. My team can only detect these scams after malicious links have already been sent out.

Today, we’re launching a new service to protect users that strikes a major blow against phishing and other deceitful attacks. By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links across all of Twitter. Even if a bad link is already sent out in an email notification and somebody clicks on it, we'll be able keep that user safe.

I’ve lamented in the past how URL shortening services are very insecure. All it takes is for a spammer to run a malicious URL through there and then use that shortened URL in a spam message. They do this because they know that spam filters will often block on the reputation of a domain. If the spammer includes a known good service like Bit.ly, Tr.im, or Cli.gs, these domains are all known good users. It is similar to a spammer taking over a legitimate email service like Hotmail, Gmail or Yahoo Mail. It is reputation hijacking. In the case of the URL, unless the spam filter follows the URL and finds out what domain it actually points to, it cannot use URL reputation as part of its antispam service. Most spam filters do not have the time to follow through shortened URLs.

What Twitter is doing, or rather appears to be doing since I don’t know exactly they are doing, is subscribing to a URL reputation service. These services are populated with URLs from around the Internet that have been deemed malicious by reliable sources. If the URL is part of the reputation services feed, Twitter will disallow the link. It’s like an IP blocklist for URLs. Twitter extracts the URLs, scans them against this service, and if they don’t show up the link is allowed to be tweeted. If not, too bad. Thus, they are proactively mitigating the abuse by outsourcing some of their anti-abuse technologies to those who have a lot of experience doing it. Good for Twitter.

Now, if only we could get all of the URL shortening services to subscribe to these reputation services.

Terry, I asked Twitter if they were only filtering raw links posted via their web interface (ie, links they can convert into their own Twitter-run short URL service), or if they will also inspect already shortened URLs that are posted (eg a bit.ly URL).

I haven’t heard back, so don’t know the answer. Seems to me it will only be the former though.

You’re right that companies like bit.ly should be using domain block lists to block malicious links from being used, its in their interests to avoid being outright blocked by email admins, but I have to wonder why email filtering products aren’t simply following shortened URLs to determine their end destination and making their filtering decisions on that.

Surely the software can be aware of the well known shortening services out there and test all links in emails that go to those services.